Symfony2 Security configurations with FOSOAuthServerBundle

fosoauthserver.security.yml

# app/config/security.yml
security:
    firewalls:
        oauth_token:
            pattern:    ^/oauth/v2/token
            security:   false

        oauth_authorize:
            pattern:    ^/oauth/v2/auth
            # Add your favorite authentication process here

        api:
            pattern:    ^/api
            fos_oauth:  true
            stateless:  true
            anonymous:  true # note that anonymous access is now enabled

    # also note absence of "access_control" section

fosuser.security.yml

# app/config/security.yml
security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4

            logout:       true
            anonymous:    true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }

hybrid.CONFIG_A.security.yml

# This is the CONFIG_A configuration.
# What happen here:
# When a user visit something like [HOST]/api/some_path the server respond with:
#               { error: "access_denied", error_description: "OAuth2 authentication required" }
# If the user visit something like [HOST]/api/some_path?access_token=[....] (or with header: Authorization Bearer OWQ0ODlmMzZ...) the server respond correctly
# If user try to visit another path like [HOST]/secure/some_path the server checks if the user is logged by normal authentication like in the standard work flow.
# In this last case even if we send an access_token by GET method nothing happens, we must be logged by normal autentication.
# In the other case, if we are logged with normal login page and we visit [HOST]/api/some_path the server continues to respond:
#               { error: "access_denied", error_description: "OAuth2 authentication required" }

security:
    encoders:
            FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        api:
            pattern:    ^/api
            fos_oauth:  true
            stateless:  true
            anonymous:  false # note that anonymous access is now enabled
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: security.csrf.token_manager # Use form.csrf_provider instead for Symfony <2.4
            anonymous:    true
            context: primary_auth
        oauth_token:
            pattern:    ^/oauth/v2/token
            security:   false
        # oauth_authorize not needed now
        #oauth_authorize:
        #    pattern:    ^/oauth/v2/auth
        #    # Add your favorite authentication process here
        
    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }
        - { path: ^/secure/, role: IS_AUTHENTICATED_FULLY }